The Irish Data Protection Commissioner (DPC) has opened another inquiry into social media company TikTok, following an April decision when it fined the company €530 million.
The DPC said the new probe under the bloc’s General Data Protection Regulation (GDPR) would focus on transfers of European Economic Area users’ data to servers located in China in light of TikTok subsequently informing the regulator that – contrary to earlier evidence the company gave – some user data was stored in China.
In the DPC’s earlier GDPR investigation it found that TikTok data was remotely accessed by employees in China – which is also problematic under the GDPR. But, in April, TikTok informed the regulator that “limited” user data had in fact been stored in China.
At the time, the DPC said it would consider taking new action against TikTok in light of the new information.
China and the EU do not have a high-level agreement on personal data transfers – such as the EU has with the US or with the UK. This means that companies based in China must ensure that any transfers of European users’ data must be wrapped in equivalent protections as personal information that remains in the EU.
“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover. We promptly deleted this minimal amount of data from the servers and informed the DPC,” a TikTok spokesperson told Euractiv. “Our proactive report to the DPC underscores our commitment to transparency and data security,” they added.
(nl)